Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Common Information Model Add-on. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Release notes for the Splunk Common Information Model Add-on

Version 4.20.2 of the Splunk Common Information Model Add-on was released on September 15, 2021.

New features

Version 4.20.2 of the Splunk Common Information Model Add-on includes no new features.

Upgrade requirements

Splunk platform version Upgrade activity
8.0.x or later If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field.

Compatibility

Version 4.20.x of the Splunk Common Information Model Add-on requires Splunk platform version 8.0.x or later. Some workarounds, such as the datamodels spec workaround for tags_whitelist and poll_buckets, are no longer available in version 7.0.x and later. This might lead to btool check warnings at startup.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues. If this section is empty, this release has no reported fixed issues.


Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.

Date filed Issue number Description
2022-08-31 CIM-1108 Adaptive Response relay errors occur when polling a Splunk Cloud search head cluster that is configured with the Spunk_SA_CIM modular action worker.

Workaround:
Following two options are available to resolve the errors:

Option 1: Configure the search head cluster. This is a quick solution but might cause false positive errors.


Configure the heavy forwarders to poll all search heads in the search head cluster, instead of the search head cluster URL. This guarantees the retrieval and dequeing of the alert from the search head that generated the alert. However, the other four search heads still display errors.

Option 2: Enhancements to Splunk_SA_CIM: Splunk_SA_CIM/lib/splunk_sa_cim/modaction_queue.py Create a custom version of the Splunk_SA_CIM with the updated modaction_queue.py file and components to generate an alert. The custom app does not impact the Splunk_SA_CIM app or data model acceleration.

2022-06-29 CIM-1099 ES SOAR adaptive response actions not working.
2022-05-03 CIM-1092 User gets error message "Error: Unexpected token < in JSON at position 0" when expanding a notable event.
2022-03-16 CIM-1087 The Change.json data model includes incorrect constraint searches.
2022-01-25 CIM-1081 Update "recommended" field for Change.user_name, Change.src_user_name, and Alerts.user_name.
2022-01-20 CIM-1078 Remove "expected_values" and "constraints" for the result field in the Change datamodel (Change.json) and correct the description for the result field.
2021-07-02 CIM-1040 CIM 4.20.0 Setup link returns 404

Workaround:
Access the setup page directly by going to https://<URL of your Splunk deployment>/en-US/app/search/cim_setup

Deprecated or removed features

The following are deprecated or removed features for the last seven versions.

As of version 4.20.2:

  • N/A

As of version 4.20.0:

  • N/A

As of version 4.19.0:

  • N/A

As of version 4.18.0:

  • The body field is deprecated in favor of the description field in the Alerts data model and will be removed in a future version.
  • The subject field is deprecated in favor of the signature field in the Alerts data model and will be removed in a future version.

As of version 4.15.0:

  • The Predictive Analytics dashboard is removed in favor of Machine Learning Toolkit functionality.

As of version 4.14.0:

  • The Predictive Analytics dashboard is deprecated in favor of Machine Learning Toolkit functionality and will be removed in a future version.

As of version 4.13.0:

  • N/A

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

Last modified on 18 December, 2023
PREVIOUS
Set up the Splunk Common Information Model Add-on
  NEXT
Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.20.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters